I am running a very simple search to determine accounts locked out:
server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="*" Account_Name="*" | Table Account_Name _time
In the results as Account_Name I would like to exclude the computer account name (Server01$.....) considering that the user account name is related to the computer account name.
Like this:
index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcetypeToo (server01 OR server02 OR server03 OR server04) EventCode=4740 Security_ID="*" Account_Name!="*$"
I like Woodcocks reply, the component below was most valuable for eliminating computer account names
Account_Name!="*$"
How about?
server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="*" Account_Name!="*Server01$*"| stats values(Account_Name) as List | mvexpand List
@Stevelim I've been looking for this answer for 2 days now. You saved me!!! Thank you!
Great to hear!
try this? a mix of rex and fields trickery
server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="" Account_Name="" | Table Account_Name _time | rex field=Account_Name "(?<user>\$\w+)" | fields - Account_Name
This output should give you a new field called User and Omit the Server##
You can use the where command for that:
server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="" Account_Name=""
| where NOT Account_Name=Computer_Name
| Table Account_Name _time
Or even an eval:
server01 OR server02 OR server03 OR server04 EventCode=4740 Security_ID="" Account_Name=""
| eval Same = if(match(Account_Name,Computer_Name),1,0)
| search Same = 0
| Table Account_Name _time
running both search as result I obtained
Domain controller computer account
user name
domainctrl1$
j.doe
domainctrl2$
s.brown
domainctrl1$
j.smith
I am looking just for the list of the user name
j.doe
s.brown
j.smith
Hi, I'm not sure what you mean but if you just need the list of usernames then simply pipe the last line in your query to fields or table followed by the field name you want to display, you can even remove duplicates with dedup. For instance:
your search here
| dedup UserName
| table UserName
If that's not what you are looking for then it might be easier if you paste your query here.
Reviving this as I am seeking an answer to the same issue and have yet to be able to find it.
What arkonner was saying is that they don't want the computer accounts to show in the results. I am trying to do the same but simply ignoring values that end in "$" is sloppy and could potentially hide valid results.
This search highlights the issue, I do not want to display results where the user matches any Workstation_Name appended with "$". The only way to make this work that I can think of is to build an array of Workstation_Name values and elminate users that match any value in the array... but I'm relatively new to Splunk and don't know how to do that yet.
index=wineventlog sourcetype="wineventlog:security" src_ip= | stats count by Workstation_Name user